Changeset 32772

Show
Ignore:
Timestamp:
13.02.2019 17:46:00 (11 days ago)
Author:
ak19
Message:

Handling the whole set of reserved and unsafe characters listed at  https://perishablepress.com/stop-using-unsafe-characters-in-urls/

Files:
1 modified

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone3/web/interfaces/default/js/document_scripts.js

    r32767 r32772  
    2525********************/ 
    2626 
    27 function makeURLSafe(url) { 
    28  
    29     url =  url.replace(/ /g, "%20").replace(/\//g, "%2F").replace(/\:/g, "%3A").replace(/=/g, "%3D").replace(/\[/g,"%5B").replace(/\]/g,"%5D"); 
    30     return url; 
     27/* 
     28  Tomcat 8 appears to be stricter in requiring unsafe and reserved chars 
     29  in URLs to be escaped with URL encoding 
     30  See section "Character Encoding Chart of 
     31  https://perishablepress.com/stop-using-unsafe-characters-in-urls/ 
     32  Reserved chars: 
     33     ; / ? : @ = & 
     34     ----->  %3B %2F %3F %3A %40 %3D %26 
     35  Unsafe chars: 
     36     " < > # % { } | \ ^ ~ [ ] ` and SPACE/BLANK 
     37     ----> %22 %3C %3E %23 %25 %7B %7D %7C %5C %5E ~ %5B %5D %60 and %20 
     38  But the above conflicts with the reserved vs unreserved listings at 
     39     https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI 
     40  Possibly more info: https://stackoverflow.com/questions/1547899/which-characters-make-a-url-invalid 
     41 
     42*/ 
     43/* URL encode RESERVED characters in a non-URL context of a URL, such as the inline template (ilt) parameter value of a URL */ 
     44function makeSafeForURL(url_part) { 
     45    // https://stackoverflow.com/questions/7368407/javascript-replace-a-set-of-characters-with-another-one 
     46    var reserved_mappings = { 
     47    ';': '%3B', 
     48    '/': '%2F', 
     49    '?': '%3F', 
     50    ':': '%3A', 
     51    '@': '%40', 
     52    '=': '%3D', 
     53    '&': '%26' 
     54    }; 
     55     
     56    encode_percentages = 1; // to force the URL-encoding of any % in url_part, do this for inline-templates that haven't ever been encoded 
     57    url_part = makeURLSafe(url_part, encode_percentages); 
     58 
     59    var url_encoded = url_part.replace(/[\;\/\?\:\@\=\&]/g, function(s) { 
     60    return reserved_mappings[s]; 
     61    }); 
     62     
     63    //var url_encoded = url_part.replace(/;/g, "%3B").replace(/\//g, "%2F").replace(/\?/g, "%3F").replace(/\:/g, "%3A").replace(/\@/g, "%40").replace(/=/g, "%3D").replace(/\&/g,"%26"); 
     64    return url_encoded; 
     65} 
     66 
     67/*  
     68   URL encode UNSAFE characters to make URL valid  
     69   Set encode_percentages to 1 (true) if the url isn't already partly URL encoded 
     70*/ 
     71function makeURLSafe(url, encode_percentages) { 
     72    // https://stackoverflow.com/questions/12797118/how-can-i-declare-optional-function-parameters-in-javascript 
     73    encode_percentages = encode_percentages || 0; 
     74     
     75    var unsafe_mappings = { 
     76    ' ': '%20', 
     77    '"': '%22', 
     78    '<': '%3C', 
     79    '>': '%3E', 
     80    '#': '%23', 
     81    '{': '%7B', 
     82    '}': '%7D', 
     83    '|': '%7C', 
     84    '\\': '%5C', 
     85    '^': '%5E', 
     86    //'~': '~', // unreserved char (but is it then unsafe?), as per https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI 
     87    '[': '%5B', 
     88    ']': '%5D', 
     89    '`': '%60' 
     90    };     
     91 
     92    var url_encoded = url; 
     93    if(encode_percentages) { 
     94    // https://stackoverflow.com/questions/1168807/how-can-i-add-a-key-value-pair-to-a-javascript-object 
     95    //unsafe_mappings["%"] = "%25"; 
     96    url_encoded = url_encoded.replace(/\%/g,"%25"); // encode % first 
     97 
     98    } 
     99    url_encoded = url_encoded.replace(/[\ \"\<\>\#\{\}\|\\\^\[\]\`]/g, function(s) { 
     100    return unsafe_mappings[s]; 
     101    }); 
     102     
     103 
     104    //var url_encoded = url; 
     105    ///if(encode_percentages) { url_encoded = url_encoded.replace(/\%/g,"%25"); } // encode % first 
     106    //url_encoded = url_encoded.replace(/ /g, "%20").replace(/\"/g,"%22").replace(/\</g,"%3C").replace(/\>/g,"%3E").replace(/\#/g,"%23").replace(/\{/g,"%7B").replace(/\}/g,"%7D"); 
     107    //url_encoded = url_encoded.replace(/\|/g,"%7C").replace(/\\/g,"%5C").replace(/\^/g,"%5E").replace(/\[/g,"%5B").replace(/\]/g,"%5D").replace(/\`/g,"%60"); 
     108     
     109    return url_encoded; 
    31110} 
    32111 
     
    47126    template += '</xsl:template>'; 
    48127     
    49     template = makeURLSafe(template); 
     128    template = makeSafeForURL(template); 
    50129     
    51130    var hlCheckBox = document.getElementById("highlightOption"); 
     
    117196    template += '</xsl:template>'; 
    118197 
    119     template = makeURLSafe(template); 
     198    template = makeSafeForURL(template); 
    120199    var url = gs.xsltParams.library_name + "/collection/" + gs.cgiParams.c + "/document/" + sectionID + "?ilt=" + template; 
    121200 
     
    686765    ilt += '</xsl:template>'; 
    687766     
    688     ilt = makeURLSafe(ilt); 
     767    ilt = makeSafeForURL(ilt); 
    689768 
    690769 
     
    9511030        template +=   '</html>'; 
    9521031        template += '</xsl:template>'; 
    953     template = makeURLSafe(template); 
     1032    template = makeSafeForURL(template); 
    9541033        var url = href + "?noText=1&ilt=" + template; 
    9551034 
     
    13551434    template +=   ']</images>'; 
    13561435    template += '</xsl:template>'; 
    1357     template = makeURLSafe(template); 
     1436    template = makeSafeForURL(template); 
    13581437    var url = gs.xsltParams.library_name + "/collection/" + gs.cgiParams.c + "/document/" + gs.cgiParams.d + "?ed=1&ilt=" + template; 
    13591438